cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: segfault on bad hostname resolve

From: Tor Arntsen <tor_at_spacetec.no>
Date: Mon, 14 Nov 2005 17:47:17 +0100

On Nov 13, 11:00, Daniel Stenberg wrote:
>Hey
>
>Something we've done recenly causes segfaults in libcurl with c-ares builds.
>
>It seems to happen at least pretty consistently on IRIX when resolving a non-
>existing host name.
>
>See examples here:
>
> http://curl.haxx.se/auto/log.cgi?id=20051113082334-18820#prob1
>
> http://curl.haxx.se/auto/log.cgi?id=20051113075753-16634#prob23
>

Unfortunately I don't right now have time to come up with a proper fix,
but here is the analysis anyway:

It's a bus error, i.e. an alignment error (provoked by casting).

In the test that fails curl coredumps in ares/ares_mkquery.c line 159:

  /* Finish off the question with the type and class. */
  DNS_QUESTION_SET_TYPE(q, type); <--- here

This macro resolves to
#define DNS_QUESTION_SET_TYPE(q, v) DNS__SET16BIT(q, v)
which again resolves to
#define DNS__SET16BIT(p, v) *(unsigned short*)(p) = htons(v)
in ares/ares_dns.h

However, 'q' in ares_mkquery.c is defined as:
  unsigned char *q;

which cannot be casted to an unsigned short* unless it by luck lands on
an even byte boundary. Which it doesn't in the test I ran:
(gdb) print q
$17 = (unsigned char *) 0x10031545 '\023' <repeats 11 times>
                                 ^
Boom..

-Tor
Received on 2005-11-14